CVE-2013-7108 Information

Description

Multiple off-by-one errors in Nagios Core 3.5.1 4.0.2 and earlier and Icinga before 1.8.5 1.9 before 1.9.4 and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c (2) cmd.c (3) config.c (4) extinfo.c (5) histogram.c (6) notifications.c (7) outages.c (8) status.c (9) statusmap.c (10) summary.c and (11) trends.c in cgi/ which triggers a heap-based buffer over-read.

Reference

http://lists.opensuse.org/opensuse-updates/2014-01/msg00010.html http://lists.opensuse.org/opensuse-updates/2014-01/msg00028.html http://lists.opensuse.org/opensuse-updates/2014-01/msg00046.html http://lists.opensuse.org/opensuse-updates/2014-01/msg00068.html http://secunia.com/advisories/55976 http://secunia.com/advisories/56316 http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/ http://www.mandriva.com/security/advisories?name=MDVSA-2014:004 http://www.openwall.com/lists/oss-security/2013/12/24/1 http://www.securityfocus.com/bid/64363 https://dev.icinga.org/issues/5251 https://lists.debian.org/debian-lts-announce/2018/12/msg00014.html https://www.icinga.org/2013/12/17/icinga-security-releases-1-10-2-1-9-4-1-8-5/